My co-authors and I published updated versions of eight specifications in preparation for IETF 119 in Brisbane. The specifications span three working groups: JOSE, COSE, and OAuth. The updated specifications and outcomes when discussed at IETF 119 are as follows.
1, 2, & 3: JSON Web Proof, JSON Proof Algorithms, and JSON Proof Token. Updates were:
- Normatively defined header parameters used
- Populated IANA Considerations sections
- Allowed proof representations to contain multiple base64url-encoded parts
- Specified representation of zero-length disclosed payloads
- Added Terminology sections
- Updated to use draft-irtf-cfrg-bbs-signatures-05
- Updated to use draft-ietf-cose-bls-key-representations-04
- More and better examples
- Improvements resulting from a full proofreading
Continued reviews and feedback from implementations are requested.
4: Fully-Specified Algorithms for JOSE and COSE. Updates were:
- Published initial working group document following adoption
- Added text on fully-specified computations using multiple algorithms
- Added text on KEMs and encapsulated keys
- Updated instructions to the designated experts
It was agreed during the JOSE meeting to describe what fully-specified algorithms for ECDH would look like, for consideration by the working group.
5: OAuth 2.0 Protected Resource Metadata. Updates were:
- Switched from concatenating
.well-known
to the end of the resource identifier to inserting it between the host and path components of it - Have
WWW-Authenticate
returnresource_metadata
URL rather thanresource
identifier
It was decided to start working group last call during the OAuth meeting.
6: COSE “typ” (type) Header Parameter. Updates were:
- Added language about media type parameters
- Addressed working group last call comments
- Changed requested assignment from 14 to 16 due to conflict with a new assignment
- Addressed GENART, OPSDIR, and SECDIR review comments
This document is scheduled for the April 4, 2024 IESG telechat.
7: Barreto-Lynn-Scott Elliptic Curve Key Representations for JOSE and COSE. Updates were:
- Changed to use key type
EC
for JOSE and equivalentEC2
for COSE for uncompressed key representations - Changed identifier spellings from “Bls” to “BLS”, since these letters are people’s initials
We received feedback to not add compressed key representations to the draft.
8: Use of Hybrid Public-Key Encryption (HPKE) with JavaScript Object Signing and Encryption (JOSE). Updates were:
- Use existing
"alg": "dir"
value for HPKE Direct Encryption mode - Aligned choices more closely with those of Use of Hybrid Public-Key Encryption (HPKE) with CBOR Object Signing and Encryption (COSE)
- Defined both Integrated Encryption mode and Key Encryption mode
- Added IANA Considerations section
- Removed Post-Quantum Considerations
It was decided to start a working group call for adoption during the JOSE meeting.
Thanks to all who contributed to the progress made on these specifications, both before and during IETF 119!